Sign in with
Sign up | Sign in
Your question

External HDD Shortcut Virus Help!

Last response: in Storage
Share
October 10, 2012 5:54:15 PM

Hey everyone.

I don't know if this is the best category for the problem I'm having, but here it goes.

My problem:
I have a 1TB external hard drive that seems to have a virus on it. This virus has made every folder and every files that's not in a folder a shortcut. When I click a folder or file that's turned into a shortcut, it takes me to my documents instead, so I can't access any of my files at all.

What I've done so far:
I've already ran a complete Malwarebytes scan, and I've ran other virus scans, but I've had no luck finding this virus so far.

What I can't do:
Please don't tell me to just move my files onto another hard drive and format my hard drive. I just simply don't have another hard drive that's even close to the same size as my 1TB external, so I just can't do that. I realize it would be the best way to get rid of the virus, but I can't do it.

October 10, 2012 8:06:31 PM

John_VanKirk said:
Hello,

Here are a couple URLs that discuss an ext drive virus that converts files to shortcuts, including a symantec discusstion

http://www.symantec.com/business/support/index?page=con...

and a MS community one

http://answers.microsoft.com/en-us/windows/forum/window...


Okay, so what I getting from both those links is that there's an .inf file (or some kind of file) somewhere on my hard drive that's changing all of the folders into icons.

So, what I just did was I went into the folder options to allow me to see absolutely everything that's on my hard drive (even hidden folders, files, etc) and found that all of my folders and files are hidden. I can access all of my folders and files with no problem now, except that I can only see them when I have everything showing and if I've enabled showing hidden folders, files, etc.

I right-clicked one of the shortcuts, and looked at where its target location is, and it's somewhere in System32. When I open its target location, it takes me to System32, and the file in System32 that it highlights is cmd.exe.

EDIT: I just discovered that when I go into the security tab to change permissions and access and such, I can't change permissions on any of my files. When I try and change permissions, or when I try and remove group or users name, it gives me a Windows Security message saying "You can't remove X (X being the name of the account or group) because this object is inheriting permissions from its parent. To remove X, you must prevent this object from inheriting permissions, and then try removing X" What the heck does that message mean???
m
0
l
Related resources
October 10, 2012 8:24:54 PM

Are you SURE than Unhide.exe won't delete my files? Can anyone else confirm if Unhide.exe is legitimate?
m
0
l
a c 104 G Storage
October 10, 2012 9:07:29 PM

Have never used unhide.exe, so can't give you any 1st hand advice.

The usage instructions at BleepingComputer Review says:
Usage Instructions:
Quote:
To run Unhide, simply download it to your desktop and then double-click on the Unhide icon. The program will open a black box and start making the files on your fixed disks visible again. Please note, that this program will not unhide removable drives like flash cards and usb drives as the FakeHDD rogues do not target these types of drives. Once it has finished, the program will display a Windows alert stating that your files have been restored. You should then reboot your computer for all of the settings to go into effect.


I think your drive is a USB connected drive, so that needs further clarafication.
m
0
l
October 10, 2012 9:10:36 PM

John_VanKirk said:
Have never used unhide.exe, so can't give you any 1st hand advice.

The usage instructions at BleepingComputer Review says:
Usage Instructions:
Quote:
To run Unhide, simply download it to your desktop and then double-click on the Unhide icon. The program will open a black box and start making the files on your fixed disks visible again. Please note, that this program will not unhide removable drives like flash cards and usb drives as the FakeHDD rogues do not target these types of drives. Once it has finished, the program will display a Windows alert stating that your files have been restored. You should then reboot your computer for all of the settings to go into effect.


I think your drive is a USB connected drive, so that needs further clarafication.


Sorry I didn't clarify. Yes, it's a USB external hard drive.
m
0
l
a c 288 G Storage
October 11, 2012 12:36:10 AM

IMHO, Windows's autorun feature is a security nightmare. I always disable autorun for every storage device. To do this, I use 0xFF as the value of the NoDriveTypeAutoRun registry entry.

How to disable the Autorun functionality in Windows:
http://support.microsoft.com/kb/967715

I also like to disable Auto Insert Notification, eg ...

http://support.microsoft.com/kb/138598

Could you post the contents of the AUTORUN.INF file? You can view it with a text editor such as NotePad.
m
0
l
October 11, 2012 12:43:43 AM

fzabkar said:
IMHO, Windows's autorun feature is a security nightmare. I always disable autorun for every storage device. To do this, I use 0xFF as the value of the NoDriveTypeAutoRun registry entry.

How to disable the Autorun functionality in Windows:
http://support.microsoft.com/kb/967715

I also like to disable Auto Insert Notification, eg ...

http://support.microsoft.com/kb/138598

Could you post the contents of the AUTORUN.INF file? You can view it with a text editor such as NotePad.


I've already deleted every autorun file in my hard drive (that's not linked to a program I know of)
m
0
l
a c 288 G Storage
October 11, 2012 1:42:58 AM

CMD.EXE is the command interpreter for the NT class of OSes (similar to command.com). Running the command without arguments should just bring up a DOS window and do nothing more.

Is CMD.EXE the original Microsoft file, and does the shortcut have any arguments, eg ...

cmd.exe /c malware.exe

... where "malware.exe" is the payload.

You could upload cmd.exe for offline scanning to http://www.virustotal.com/ where it will be scanned by ~40 antivirus software.
m
0
l
!